SEC579: Virtualization and Private Cloud Security

SEC579 actually provides pertinent information outside what is freely available and is applicable to securing my organization's virtual infrastructure.

David Richardson, ManTech

The rush for virtualization is difficult for security sensitive environments. SEC579 helps demonstrate which risks are valid.

Paul Mayers, Lloyds Banking Group

One of today's most rapidly evolving and widely deployed technologies is server virtualization. Many organizations are already realizing the cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management for virtualized systems. There are even security benefits of virtualization - easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructures.

Server virtualization vulnerabilities

With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks and require careful planning with regard to access controls, user permissions, and traditional security controls.

In addition, many organizations are evolving virtualized infrastructure into private clouds - internal shared services running on virtualized infrastructure. Security architecture, policies, and processes will need to adapt to work within a cloud infrastructure, as well, and there are many changes that security and operations teams will need to accommodate to ensure assets are protected.

The class starts out with two days of architecture and security design for both virtualization and private cloud infrastructure. The entire gamut of components will be covered ranging from hypervisor platforms to virtual networking, storage security to locking down the individual virtual machine files. We'll describe how to secure the management interfaces and servers, delve into Virtual Desktop Infrastructure (VDI), and go in-depth on what to consider when building a private cloud from existing virtualization architecture. Finally, we'll look at integrating virtual firewalls and intrusion detection systems into the new architecture for access control and network monitoring.

Virtualization infrastructure, policy, and auditing

The next two days we'll go into detail on offense and defense - how can we assess virtualized environment using scanning and pen testing tools and techniques, and how do things change when we move to a cloud model? We'll cover a variety of scanners and vulnerability management tools and practices, and then take a hard look at virtualization vulnerabilities, exploits, and toolkits for pen testing that we can put to use in class.

Once we cover the offense, we'll take the opposite approach and go into detail on performing intrusion detection and logging within the virtual environment, as well as covering anti-malware advances and changes within virtual infrastructure. We'll wrap up the session with coverage of incident handling within virtual and cloud environments, as well as adapting forensics processes and tools to ensure we can maintain chain-of-custody and perform detailed analysis of virtualized assets.

Vulnerability management, pen testing, and intrusion detection

During day 5, we will help you adapt your existing security policies and practices to the new virtualized or cloud-based infrastructure. We'll show you how to design a foundational risk assessment program and then build on this with policies, governance, and compliance considerations within your environment. We'll cover auditing and assessment of your virtualized assets, with a session on scripting that will help you put this into practice right away. Then we'll go in-depth into data security within a private cloud environment, discussing encryption and data lifecycle management techniques that will help you keep up with data that is much more mobile than ever before. Identity and Access Management (IAM) within a virtualized/cloud environment will be touched on, and we'll wrap up with a thorough session on disaster recovery and business continuity planning that leverages and benefits from virtualization and cloud-based technology.

On day 6, we'll cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most important and critical things to take away from these to implement. We culminate with data security and encryption, and Identity and Access Management (IAM) and Disaster Recovery (DR) and Business Continuity Planning (BCP).

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Course Syllabus

SEC579.1: Virtualization Security Architecture and Design

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

The first day of class will cover the foundations of virtualization infrastructure and different technology types. We'll define and clarify the differences between server virtualization, desktop virtualization, application virtualization, and storage virtualization, and we'll lay out a simple architecture overview that sets the stage for the rest of the day. Then we'll start dissecting the various virtualization elements that comprise the architecture one-by-one, with a focus on the security configurations that will help you create or revise your virtualization design to be as secure as possible. We'll start off with hypervisor platforms, covering the fundamental controls that can and should be set within VMware ESX and ESXi, Microsoft Hyper-V, and Citrix XenServer.

Then students will spend considerable time analyzing and constructing virtual networks with security in mind. We'll compare and contrast various designs for internal networks and DMZs, with special attention paid to segmentation and physical network connectivity. Virtual switch types will be discussed, along with VLANs and PVLANs, and configuring these for the most robust network security possible will be discussed next. We'll finish the day with two additional sections. The first will cover virtual machine settings, with an emphasis on VMware VMX files. We'll look at some options organizations have to carefully control access to and from these VMs, and this will lead to the last section of the day - storage and storage security. One of the most overlooked security areas today, large-scale storage plays a critical role in virtualization and private cloud infrastructure, and some tips and tactics will be covered that help organizations to better secure Fibre Channel, iSCSI, and NFS-based NAS technology.

CPE/CMU Credits: 6

Topics

Virtualization components and architecture designs

Different types of virtualization, ranging from desktops to servers and applications

SEC579.2: Virtualization and Private Cloud Infrastructure Security

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

Day 2 finishes the previous day's coverage of virtualization design elements, starting with virtualization management. VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter will all be covered, with an emphasis on vCenter. Client connectivity and security will also be discussed, both from a configuration and design standpoint. Next, Virtual Desktop Infrastructure (VDI) will be covered, with emphasis on security principles and design. Specific security-focused use cases for VDI, such as remote access and network access control, will also be mentioned.

Next, we'll design a secure private cloud architecture! There are many considerations for organizations migrating from virtualization to a private cloud, and a number of these affect security. We'll outline all the areas previously covered for virtualization, ranging from networks to hypervisors to virtual machine, and point out where security configuration and design differs for a cloud model. We'll also break down a number of different private cloud models for specific business use cases, and students will analyze security controls within these models.

The next section on Day 2 will delve into network security, adapted to fit into a virtual infrastructure. Do firewalls and network access controls work the same with virtual systems and cloud models? We'll find out! Students will take an in-depth look at virtual firewalls and will even set one up. Virtual switches will be revisited here, as they pertain to segmentation and access controls. Students will also build a virtualized intrusion detection model, integrating promiscuous interfaces and traffic capture methods into virtual networks, and then setting up and configuring a virtualized IDS sensor. Some attention will also be paid to host-based IDS, with considerations for multitenant platforms and the performance impact any agent-based product can have in a virtual environment.

CPE/CMU Credits: 6

Topics

How to lock down management servers and clients for vCenter, XenServer, and Microsoft SCVMM

SEC579.3: Virtualization Offense and Defense (Part I)

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

In this session, we'll delve into the offensive side of security specific to virtualization and cloud technologies. While many key elements of vulnerability management and penetration testing are similar to traditional environments, there are many differences that we will cover.

First, we'll cover a number of specific attack scenarios and models that represent the different risks organizations face in their virtual environments. Then we'll go through the entire penetration testing and vulnerability assessment lifecycle, with an emphasis on virtualization tools and technologies. We'll progress through scanners and how to use them for assessing virtual systems, as well as virtualization exploits and attack toolkits that can be easily added into existing pen test regimens. We'll also cover some specific techniques that may help in cloud environments and provide examples of scenarios where certain tools and exploits are less effective or more risky to use than others.

After covering the offensive side of things, we'll turn to intrusion detection, starting with a simple architecture refresher on how IDS and monitoring technologies fit into a virtual infrastructure. Students will then learn about monitoring traffic and looking for malicious activity within the virtual network, and numerous network-based and host-based tools will be covered and implemented in class. This topic will also be extended to the private cloud environment, with some special caveats that all organizations should pay attention to.

Finally, students will learn about logs and log management in virtual environments. What kinds of logs do virtualization platforms produce, and what should organizations focus on? How can these logs (for both hypervisors and VMs) fit into a Security Information and Event Management (SIEM) solution? What should we look for to find attacks and security issues? We'll cover all this, and more, in this session

CPE/CMU Credits: 6

Topics

Attack models that pertain to virtualization and cloud environments

Pen testing cycles with a focus on virtualization and cloud attack types

Specific virtualization platform attacks and exploits

How to modify vulnerability management processes and scanning configuration to get the best results in virtualized environments

SEC579.4: Virtualization Offense and Defense (Part II)

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

This session is all about defense! We'll start off with an analysis on anti-malware techniques. We'll look at traditional antivirus, whitelisting, and other tools and techniques for combating malware, with a specific eye toward virtualization and cloud environments. New commercial offerings in this area will also be discussed to provide context, as well.

The majority of this session will focus on incident response and forensics in a virtualized or cloud-based infrastructure. We'll walk students through the 6-step incident response cycle espoused by NIST and SANS, and highlight exactly how virtualization fits into the "big picture." Students will discuss and analyze incidents at each stage, again with a focus on virtualization and cloud. We'll finish the incident response section with processes and procedures organizations can put to use right away to improve their awareness of virtualization-based incidents.

The final section of the day will focus on forensics, and how students can adapt forensics processes to work in virtual and cloud environments. We'll capture and duplicate VMs, and ensure these VMs are sound and maintained in a "best practices" format for proper chain-of-custody retention. The current landscape of forensics tools will be covered, with a focus on which work best to analyze virtual images and data from virtual infrastructure. A special focus will be given to the analysis of hypervisor platforms, as well.

CPE/CMU Credits: 6

Topics

How anti-malware tools function in virtual and cloud environments

What kinds of new tools and tactics are available for effective anti-malware operations in the cloud and virtual machines

How the 6-step incident response process can be modified and adapted to work with virtual infrastructure

What kinds of incidents to look for within virtual environments, and what the warning signs are

Processes and procedures to build and grow incident response capabilities for virtual environments

How forensics processes and tools should be used and adapted for virtual systems

What tools are best to get the most accurate results from virtual machine system analysis

How to most effectively capture virtual machines for forensic evidence analysis

What can be done to analyze hypervisor platforms, and what the future of VM forensics holds

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

This session will explore how traditional security and IT operations changes with the addition of virtualization and cloud technology in the environment. Our first discussion will be a lesson on contrast! First, we'll present an overview of integrating existing security into virtualization. Then, we'll take a vastly different approach, and outline how virtualization actually creates new security capabilities and functions! This will really provide a solid grounding for students to understand just what a paradigm shift virtualization is, and how security can benefit from it, while still needing to adapt in many ways.

Our first step in integrating virtualization into the existing environment will be to lay out a sound risk assessment process that security professionals can use to determine where the threats, vulnerabilities, and impacts are. With virtualization and cloud technologies, risk profiles are very different, and security teams will need to evaluate technology and infrastructure differently in order to adequately advise the business where to focus and how to allocate resources to best protect itself. A more in-depth treatise will be covered for cloud technologies, as well, with a description of the Jericho Forum Cloud Cube model and how it can be leveraged by organizations to assess risk for their internal clouds.

We'll then spend some time on policy and governance for both virtualization and cloud technologies. What kinds of new policies are needed? What existing policies need to be updated? We'll cover that! We'll also provide guidance for information security managers who need to answer some tough questions from organizational leadership about how and why cloud and virtualization security measures should be implemented.

Next we'll dive into change and configuration management tactics and processes for virtualization and cloud. These are critical elements of a sound operations strategy with these technologies, but most organizations do not update existing change and configuration processes substantially to accommodate them! There are many pieces to this, ranging from patching to application development specifics, and we'll touch on all of them. We'll wrap up the day with some general compliance guidelines that address specific controls needed for some of the major compliance mandates, including PCI DSS, HIPAA, and SOX.

CPE/CMU Credits: 6

Topics

How security can adapt to accommodate virtualization infrastructure

How virtualization tools and technology can augment and facilitate security!

SEC579.6: Confidentiality, Integrity, and Availability with Virtualization and Cloud

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use

Overview

Today's session will start off with a lively discussion on virtualization assessment and audit. You may be asking - how will you possibly make a discussion on auditing lively? Trust us! We'll cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most important and critical things to take away from these to implement. We'll really put our money where our mouth is next - students will learn to implement audit and assessment techniques by scripting with the VI CLI, as well as some Powershell and general shell scripting! Although not intended to be an in-depth class on scripting, some key techniques and ready-made scripts will be discussed to get students prepared for implementing these principles in their environments as soon as they get back to work.

Next we'll cover two critical topics for private cloud implementations (and virtual machines in general): data security and encryption, and Identity and Access Management (IAM). As organizations have more and more mobile VMs moving through their data centers and as they extend private clouds to cloud providers, partners, and others, the need to protect the entire VM is more paramount than ever.

Encryption techniques and data lifecycle processes can help improve the security of virtual and cloud environments enormously, and we'll delve into the key things security and operations teams need to know, including PKI infrastructure, commercial tools for implementing data protection, and a method for evaluating and updating data lifecycle management policies and processes that's easy to implement. Identity and Access Management (IAM) is a key component of many cloud infrastructures, especially those that need to integrate with partners and other external parties. We'll take a look at the key things organizations need to know when implementing and evaluating IAM tools and capabilities in private clouds.

The last major section of this day's session will cover something critical to all enterprises - Disaster Recovery (DR) and Business Continuity Planning (BCP). Virtualization and cloud technology and architecture can help organizations implement much more robust DR and BCP strategies, and we'll go into some real depth on what tools are available to help with this. In addition, students will learn about updates they'll need to make to policies and evaluation techniques for DR and BCP that more accurately take the new virtualized infrastructure into account.

CPE/CMU Credits: 6

Topics

Assessment and audit plans for virtualization and private cloud components

Key configuration controls from the leading hardening guides from DISA, CIS, VMware, and Microsoft

Scripting techniques in VI CLI and Powershell for automating audit and assessment processes

Sample scripts that help implement key audit functions

Encryption tools and techniques for securing mobile VMs

Data lifecycle policies and processes to ensure VMs and their data are monitored and updated

Identity and Access Management (IAM) fundamentals for private clouds

In-depth DR and BCP processes and capabilities that virtualization and private clouds can augment

Additional Information

Laptop Required

Laptops for SEC579 lab exercises will be provided for students to use during class.* Students will be given CDs with labs loaded to take home after class.

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

For those classes where students are required to provide their own laptop, students will need a laptop with: